hello, im new here
i have been search for a solution for send the linux servers history command line logs to the graylog server, but i can’t find anything for this… can you help me ?
Sounds like you need to log all commands to syslog, then connect that syslog to a Graylog input. Maybe check this out: https://www.baeldung.com/linux/log-all-user-commands
I have not tried it, just the first thing that came up.
There should be a ton of examples of connecting linux syslog to a Graylog input in the GL docs and on this forum.
i found an easy way to do it without filebeat or auditbeat…
at the end of /etc/profile file i add this function
function log2syslog
{
From=“/usr/bin/who am i | awk '{ print $1 }'”
declare COMMAND
COMMAND=$(fc -ln -0)
logger -p local1.notice -t bash -i – “${From}:${USER}:${COMMAND}”
}
trap log2syslog DEBUG
variables $From and $USER are for users who change with sudo to other users, with this i can capture both users
then in the /etc/rsyslog.conf file add this line
*.* @<graylog-server>:514;RSYSLOG_SyslogProtocol23Format
you can modify this last line with the facilities you want to capture 
thanks !!
2 Likes
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.